---
title: Authorization
description: A template used to represent an access control query.
location: https://istio.io/docs/reference/config/policy-and-telemetry/templates/authorization.html
layout: protoc-gen-docs
generator: protoc-gen-docs
redirect_from: /docs/reference/config/template/authorization.html
number_of_entries: 4
---
<p>The <code>authorization</code> template defines parameters for performing policy
enforcement within Istio. It is primarily concerned with enabling Mixer</p>

<p>Example config:</p>

<pre><code class="language-yaml">apiVersion: &quot;config.istio.io/v1alpha2&quot;
kind: authorization
metadata:
  name: authinfo
  namespace: istio-system
spec:
 subject:
   user: source.user | request.auth.token[user] | &quot;&quot;
   groups: request.auth.token[groups]
   properties:
    iss: request.auth.token[&quot;iss&quot;]
 action:
   namespace: destination.namespace | &quot;default&quot;
   service: destination.service | &quot;&quot;
   path: request.path | &quot;/&quot;
   method: request.method | &quot;post&quot;
   properties:
     version: destination.labels[version] | &quot;&quot;
</code></pre>

<h2 id="Action">Action</h2>
<section>
<p>An action defines &ldquo;how a resource is accessed&rdquo;.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Action.namespace">
<td><code>namespace</code></td>
<td><code>string</code></td>
<td>
<p>Namespace the target action is taking place in.</p>

</td>
</tr>
<tr id="Action.service">
<td><code>service</code></td>
<td><code>string</code></td>
<td>
<p>The Service the action is being taken on.</p>

</td>
</tr>
<tr id="Action.method">
<td><code>method</code></td>
<td><code>string</code></td>
<td>
<p>What action is being taken.</p>

</td>
</tr>
<tr id="Action.path">
<td><code>path</code></td>
<td><code>string</code></td>
<td>
<p>HTTP REST path within the service</p>

</td>
</tr>
<tr id="Action.properties">
<td><code>properties</code></td>
<td><code>map&lt;string,&nbsp;<a href="#istio.policy.v1beta1.Value">istio.policy.v1beta1.Value</a>&gt;</code></td>
<td>
<p>Additional data about the action for use in policy.</p>

</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Subject">Subject</h2>
<section>
<p>A subject contains a list of attributes that identify
the caller identity.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Subject.user">
<td><code>user</code></td>
<td><code>string</code></td>
<td>
<p>The user name/ID that the subject represents.</p>

</td>
</tr>
<tr id="Subject.groups">
<td><code>groups</code></td>
<td><code>string</code></td>
<td>
<p>Groups the subject belongs to depending on the authentication mechanism,
&ldquo;groups&rdquo; are normally populated from JWT claim or client certificate.
The operator can define how it is populated when creating an instance of
the template.</p>

</td>
</tr>
<tr id="Subject.properties">
<td><code>properties</code></td>
<td><code>map&lt;string,&nbsp;<a href="#istio.policy.v1beta1.Value">istio.policy.v1beta1.Value</a>&gt;</code></td>
<td>
<p>Additional attributes about the subject.</p>

</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Template">Template</h2>
<section>
<p>The <code>authorization</code> template defines parameters for performing policy
enforcement within Istio. It is primarily concerned with enabling Mixer
adapters to make decisions about who is allowed to do what.
In this template, the &ldquo;who&rdquo; is defined in a Subject message. The &ldquo;what&rdquo; is
defined in an Action message. During a Mixer Check call, these values
will be populated based on configuration from request attributes and
passed to individual authorization adapters to adjudicate.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Template.subject">
<td><code>subject</code></td>
<td><code><a href="#Subject">Subject</a></code></td>
<td>
<p>A subject contains a list of attributes that identify
the caller identity.</p>

</td>
</tr>
<tr id="Template.action">
<td><code>action</code></td>
<td><code><a href="#Action">Action</a></code></td>
<td>
<p>An action defines &ldquo;how a resource is accessed&rdquo;.</p>

</td>
</tr>
</tbody>
</table>
</section>
<h2 id="istio.policy.v1beta1.Value">istio.policy.v1beta1.Value</h2>
<section>
<p>An instance field of type Value denotes that the expression for the field is of dynamic type and can evalaute to any
<em>ValueType</em> enum values. For example, when
authoring an instance configuration for a template that has a field <code>data</code> of type <code>istio.policy.v1beta1.Value</code>,
both of the following expressions are valid <code>data: source.ip | ip(&quot;0.0.0.0&quot;)</code>, <code>data: request.id | &quot;&quot;</code>;
the resulting type is either ValueType.IP_ADDRESS or ValueType.STRING for the two cases respectively.</p>

<p>Objects of type Value are also passed to the adapters during request-time. There is a 1:1 mapping between
oneof fields in <code>Value</code> and enum values inside <code>ValueType</code>. Depending on the expression&rsquo;s evaluated <code>ValueType</code>,
the equivalent oneof field in <code>Value</code> is populated by Mixer and passed to the adapters.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="istio.policy.v1beta1.Value.string_value" class="oneof oneof-start">
<td><code>stringValue</code></td>
<td><code>string (oneof)</code></td>
<td>
<p>Used for values of type STRING</p>

</td>
</tr>
<tr id="istio.policy.v1beta1.Value.int64_value" class="oneof">
<td><code>int64Value</code></td>
<td><code>int64 (oneof)</code></td>
<td>
<p>Used for values of type INT64</p>

</td>
</tr>
<tr id="istio.policy.v1beta1.Value.double_value" class="oneof">
<td><code>doubleValue</code></td>
<td><code>double (oneof)</code></td>
<td>
<p>Used for values of type DOUBLE</p>

</td>
</tr>
<tr id="istio.policy.v1beta1.Value.bool_value" class="oneof">
<td><code>boolValue</code></td>
<td><code>bool (oneof)</code></td>
<td>
<p>Used for values of type BOOL</p>

</td>
</tr>
<tr id="istio.policy.v1beta1.Value.ip_address_value" class="oneof">
<td><code>ipAddressValue</code></td>
<td><code><a href="#istio.policy.v1beta1.IPAddress">istio.policy.v1beta1.IPAddress (oneof)</a></code></td>
<td>
<p>Used for values of type IPAddress</p>

</td>
</tr>
<tr id="istio.policy.v1beta1.Value.timestamp_value" class="oneof">
<td><code>timestampValue</code></td>
<td><code><a href="#istio.policy.v1beta1.TimeStamp">istio.policy.v1beta1.TimeStamp (oneof)</a></code></td>
<td>
<p>Used for values of type TIMESTAMP</p>

</td>
</tr>
<tr id="istio.policy.v1beta1.Value.duration_value" class="oneof">
<td><code>durationValue</code></td>
<td><code><a href="#istio.policy.v1beta1.Duration">istio.policy.v1beta1.Duration (oneof)</a></code></td>
<td>
<p>Used for values of type DURATION</p>

</td>
</tr>
<tr id="istio.policy.v1beta1.Value.email_address_value" class="oneof">
<td><code>emailAddressValue</code></td>
<td><code><a href="#istio.policy.v1beta1.EmailAddress">istio.policy.v1beta1.EmailAddress (oneof)</a></code></td>
<td>
<p>Used for values of type EmailAddress</p>

</td>
</tr>
<tr id="istio.policy.v1beta1.Value.dns_name_value" class="oneof">
<td><code>dnsNameValue</code></td>
<td><code><a href="#istio.policy.v1beta1.DNSName">istio.policy.v1beta1.DNSName (oneof)</a></code></td>
<td>
<p>Used for values of type DNSName</p>

</td>
</tr>
<tr id="istio.policy.v1beta1.Value.uri_value" class="oneof">
<td><code>uriValue</code></td>
<td><code><a href="#istio.policy.v1beta1.Uri">istio.policy.v1beta1.Uri (oneof)</a></code></td>
<td>
<p>Used for values of type Uri</p>

</td>
</tr>
</tbody>
</table>
</section>
